Zero-day vulnerability in Adobe Reader

ronjor · Feb 13, 2013

Adobe Reader Adobe Reader appears to be suffering from a critical zero-day vulnerability that allows criminals to inject malicious code into a system. A report by researchers from FireEye says they have encountered a specially crafted PDF document which, when opened, drops two DLLs into Windows.
Click to expand...

http://www.h-online.com/security/news/item/Zero-day-vulnerability-in-Adobe-Reader-1803029.html

siljaline · Feb 13, 2013

Also cited:

http://www.zdnet.com/dont-open-that-pdf-theres-an-adobe-reader-zero-day-on-the-loose-7000011241/

http://arstechnica.com/security/2013/02/zero-day-attack-exploits-latest-version-of-adobe-reader/

http://nakedsecurity.sophos.com/2013/02/13/adobe-pdf-reader-zero-day/

http://www.f-secure.com/weblog/archives/00002500.html

http://www.webpronews.com/adobe-pdf-reader-hit-by-zero-day-exploit-2013-02

http://www.net-security.org/secworld.php?id=14410

http://www.datamation.com/news/researchers-warn-of-zero-day-adobe-reader-vulnerability.html

http://www.geek.com/articles/news/n...already-being-exploited-by-phishers-20130213/

http://www.securityweek.com/fireeye-researchers-discover-pdf-zero-day-used-active-attacks

DrBenGolfing · Feb 13, 2013

Does this work on Foxit or the built-in reader in Chrome and Firefox?

ronjor · Feb 14, 2013

Security Advisory for Adobe Reader and Acrobat

Affected software versions

Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

mitigations

Users of Adobe Reader XI and Acrobat XI for Windows can protect themselves from this exploit by enabling Protected View. To enable this setting, choose the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu.

Enterprise administrators can protect Windows users across their organization by enabling Protected View in the registry and propagating that setting via GPO or any other method. Further information about enabling Protected View for the enterprise is available here.
Click to expand...

http://www.adobe.com/support/security/advisories/apsa13-02.html

ronjor · Feb 14, 2013

Thanks, Adobe. Protection for critical zero-day exploit not on by default

by Dan Goodin

The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe's ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said.

According to an advisory Adobe published Wednesday night, the "protected view" feature prevents the current attacks from working—but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK. There's also a way for administrators to enable protected view on Windows machines across their organization.
Click to expand...

http://arstechnica.com/security/201...r-critical-zero-day-exploit-not-on-by-default

FanJ · Feb 14, 2013

Thanks Ron!

siljaline · Feb 14, 2013

Adobe confirms targeted attacks due to security hole in Reader

Cybercriminals have already taken advantage of the latest security hole in Adobe Reader and Acrobat.

Adobe said it's currently working on a fix for the security issue and will update its bulletin once a launch has been scheduled. In the meantime, Windows users of Adobe Reader XI and Acrobat XI can protect themselves from the security exploit by turning on Protected View as follows:
Click to expand...

Open Reader or Acrobat. Click on the Edit menu, select Preferences, and then click on the Security (or Security Enhanced) option. In the Protected View section at the top of the window, click on the button to enable "Files from potentially unsafe locations" and then click OK.
Click to expand...

Hungry Man · Feb 14, 2013

I suggest using protected view and EMET. Based on a very quick look (busy) I'd say EMET would stop this.

siljaline · Feb 15, 2013

Adobe didn't tell us to disable AdobeARM from MSCONFIG.

Please ask a Mod or an Expert if you are unsure | uncomfortable performing the above action.

ronjor · Feb 17, 2013

Emergency patches for Adobe Reader scheduled

Adobe Fix The recent zero-day vulnerabilities in Adobe's Reader and Acrobat XI, which became known about a few days ago, now have fixes and updates scheduled. According to a weekend blog post from Adobe, the issues, CVE-2013-0640 and CVE-2013-0641, will be fixed with an update "during the week of February 18, 2013"
Click to expand...

http://www.h-online.com/security/news/item/Emergency-patches-for-Adobe-Reader-scheduled-1804966.html

SweX · Feb 17, 2013

Thx Ron, then I know when to make an update as I update manually

siljaline · Feb 17, 2013

As recommended here.

SweX said:

Thx Ron, then I know when to make an update as I update manually
Click to expand...

siljaline · Feb 17, 2013

http://blogs.adobe.com/psirt/2013/0...y-for-adobe-reader-and-acrobat-apsa13-02.html

We just updated the Security Advisory (APSA13-02) posted on Wednesday, February 13, 2013 to include the planned schedule for a patch to resolve CVE-2013-0640 and CVE-2013-0641. Adobe plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013.
Click to expand...

Hungry Man · Feb 17, 2013

EMET 3.5 will prevent this exploit at multiple steps. I would suggest using it.

Syobon · Feb 18, 2013

Hungry Man said:

EMET 3.5 will prevent this exploit at multiple steps. I would suggest using it.
Click to expand...

yep
https://twitter.com/msftsecresponse

even 3.0 will do.

ronjor · Feb 20, 2013

Adobe Patches Sandbox-Escaping Vulnerabilities in Reader, Acrobat
By Mike Lennon on February 20, 2013

Today, Adobe has released fixes to resolve the two vulnerabilities, CVE-2013-0640 and CVE-2013-0641, and recommends users update their product installations to the latest versions.
Click to expand...

http://www.securityweek.com/adobe-patches-sandbox-escaping-vulnerabilities-reader-acrobat

siljaline · Feb 20, 2013

Re: Adobe Reader XI (11.0.02)

As per:
• http://blogs.adobe.com/psirt/2013/0...y-for-adobe-reader-and-acrobat-apsa13-02.html

Although they did say this week, they did not specify when, alas ...

[avoid bloat - added toolbars, third-party offerings] http://get.adobe.com/reader/

*Note* re-introduces "AdobeARM.exe" to MSCONFIG.

http://www.systemlookup.com/Startup/20618-AdobeARM_exe.html

If you want Adobe Reader phoning home every time you boot your PC, leave at start-up.

ZeroVulnLabs · Feb 22, 2013

ExploitShield will stop this also. Video at
http://www.zerovulnerabilitylabs.com/home/exploitshield-corporate-edition-preview/

Syobon · Feb 22, 2013

ZeroVulnLabs said:

ExploitShield will stop this also. Video at
http://www.zerovulnerabilitylabs.com/home/exploitshield-corporate-edition-preview/
Click to expand...

cool

Dark Shadow · Feb 22, 2013

Hungry Man said:

EMET 3.5 will prevent this exploit at multiple steps. I would suggest using it.
Click to expand...

EMET is a neat little tool to have or exploit shield.IMO I think everyone should at least one of them on board,Especially having reader,Flash,Java etc.

Log in or Sign up

Zero-day vulnerability in Adobe Reader

ronjor Global Moderator

siljaline Registered Member

DrBenGolfing Registered Member

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

siljaline Registered Member

Hungry Man Registered Member

siljaline Registered Member

ronjor Global Moderator

SweX Registered Member

siljaline Registered Member

siljaline Registered Member

Hungry Man Registered Member

Syobon Registered Member

ronjor Global Moderator

siljaline Registered Member

ZeroVulnLabs Developer (aka "pbust")

Syobon Registered Member

Dark Shadow Registered Member

Log in or Sign up

Zero-day vulnerability in Adobe Reader

ronjor Global Moderator

siljaline Registered Member

DrBenGolfing Registered Member

ronjor Global Moderator

ronjor Global Moderator

FanJ Updates Team

siljaline Registered Member

Hungry Man Registered Member

siljaline Registered Member

ronjor Global Moderator

SweX Registered Member

siljaline Registered Member

siljaline Registered Member

Hungry Man Registered Member

Syobon Registered Member

ronjor Global Moderator

siljaline Registered Member

ZeroVulnLabs Developer (aka "pbust")

Syobon Registered Member

Dark Shadow Registered Member

Useful Searches